How much does a data breach cost? The average total cost of a data breach has risen to roughly $4 million, according to a 2016 survey of information technology (IT) security professionals by the Ponemon Institute (a research center dedicated to privacy, data protection, and information security policy). That figure has grown 29 percent from 2013. The study also estimates that U.S. companies have a 24 percent probability of experiencing a material data breach within the next 24 months.
Auditors consider all kinds of risks when they prepare financial statements. Here is how they specifically tackle the issue of IT security in an audit.
Audit scope
Auditing standards require an auditor to:
- Learn how the business uses IT and the impact of IT on the financial statements
- Understand the extent of the company’s automated controls as they relate to financial reporting
- Use his or her understanding of the business’s IT systems and controls in assessing the risks of material misstatement of financial statements, including IT risks resulting from unauthorized access
The auditor’s role is limited to the audit of the financial statements and, if applicable, the internal control over financial reporting (ICFR).
Primary focus
An auditor’s primary focus is on controls and systems that are in closest proximity to the application data of interest to the audit. This includes enterprise resource planning (ERP) systems, single purpose applications (such as fixed asset systems), and any connected systems that house data related to the financial statements.
The auditor’s responsibilities do not encompass an evaluation of cybersecurity risks across a company’s entire IT platform. But, if an auditor learns of a material breach while performing audit procedures, he or she should consider its impact on financial reporting (including disclosures) and ICFR.
Bridging the gaps
Cyberthreats have become increasingly common and costly. So, it is critical for companies to understand the scope of the external auditor’s responsibilities in this area and develop a cybersecurity program that bridges the gaps.